PDA

View Full Version : Bash update for SLES 11 SP1?



philhess
25-Sep-2014, 21:46
Im somewhat new to how SLES does updates and I see that SP1 is not supported at this time. However in YAST online updates, All Patches, I see the update for bash that is needed CVE-2014-6271. I check to install it and YAST appears that its installing, but then the screen just closes. Ive also tried to install it with zypper in -t patch dbgsp1-bash and it says the following NEW patch is going to be installed dbgsp1-bash Nothing to do. So again its like it just quits. Im using the nu.novell.com/repo as my repository. I appreciate any help. Thanks.

malcolmlewis
25-Sep-2014, 22:12
On Thu 25 Sep 2014 08:54:01 PM CDT, philhess wrote:


Im somewhat new to how SLES does updates and I see that SP1 is not
supported at this time. However in YAST online updates, All Patches,
I see the update for bash that is needed CVE-2014-6271. I check to
install it and YAST appears that its installing, but then the screen
just closes. Ive also tried to install it with zypper in -t patch
dbgsp1-bash and it says the following NEW patch is going to be installed
dbgsp1-bash Nothing to do. So again its like it just quits. Im using
the nu.novell.com/repo as my repository. I appreciate any help.
Thanks.




Hi
I don't think that is the correct package, more likely the debug
version of bash for SP1.

If you have LTSS (Long Term Service Support) for SP1, it should be
there as bash updates. Else you would/should probably look at an
upgrade?

Else you would need to grab the patches online and work through the
source code for your bash release (version 3.2?) to apply them and
rebuild your bash source ad install.


--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-21-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

philhess
25-Sep-2014, 22:58
Thanks for the reply. I don't have LTSS that I know of. I did not install this server. I agree it's probably debug by the dbgsp1 label.
Would it be easier to upgrade to SP3 or recompile bash? Yes bash is 3.2.

malcolmlewis
26-Sep-2014, 00:06
Thanks for the reply. I don't have LTSS that I know of. I did not install this server. I agree it's probably debug by the dbgsp1 label.
Would it be easier to upgrade to SP3 or recompile bash? Yes bash is 3.2.
Hi
Unless you have an active subscription, updating to SP3 won't help?

It would all depend on what is running on your system, you would need to check if there are any third party applications that you use work with SP3?

philhess
26-Sep-2014, 01:50
No active subscription but could buy it. Very simple install of our own jboss application and Apache tomcat web site. Also have a duplicate test VM of this machine. Again just want the fastest easiest way to get it patched since our apps are outside accessible. Thanks.

malcolmlewis
26-Sep-2014, 03:02
On Fri 26 Sep 2014 12:54:02 AM CDT, philhess wrote:


No active subscription but could buy it. Very simple install of our own
jboss application and Apache tomcat web site. Also have a duplicate test
VM of this machine. Again just want the fastest easiest way to get it
patched since our apps are outside accessible. Thanks.




Hi
Th only way to get there is upgrade to SP2 and then to SP3...
https://www.suse.com/support/kb/doc.php?id=7012368

See "Upgrading from SLES / SLED 11 (GA version, and Service Pack 1)"

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-21-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

philhess
26-Sep-2014, 03:31
Thanks for the info. Im really hoping someone publishes how to manually update bash...

malcolmlewis
26-Sep-2014, 03:45
On Fri 26 Sep 2014 02:34:01 AM CDT, philhess wrote:


Thanks for the info. Im really hoping someone publishes how to manually
update bash...




Hi
So this is bash 4.3...
https://build.opensuse.org/package/binaries/shells/bash43?repository=SLE_11_SP1

You need the readline packages as well.
http://download.opensuse.org/repositories/shells/SLE_11_SP1/

Test it in your VM first! ;)

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-21-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

philhess
26-Sep-2014, 04:11
Ok thank you. 4.3 is still vulnerable though correct?

malcolmlewis
26-Sep-2014, 12:01
On Fri 26 Sep 2014 03:14:02 AM CDT, philhess wrote:


Ok thank you. 4.3 is still vulnerable though correct?




Hi
Not that version, it's been fixed...see the changelog
https://build.opensuse.org/package/view_file/shells/bash43/bash.changes?expand=1

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-21-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

philhess
26-Sep-2014, 12:25
Great, thanks! I'll work on installing today.

philhess
26-Sep-2014, 14:12
Looks like manually installing the readline rpm and bash rpm worked for patching the vulernability. bash --version now shows 4.3.24(1) and the shellshock test shows:

bpm:~ # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
bpm:~ # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Thank you very much for the help!!

malcolmlewis
26-Sep-2014, 14:49
On Fri 26 Sep 2014 01:14:01 PM CDT, philhess wrote:


Looks like manually installing the readline rpm and bash rpm worked for
patching the vulernability. bash --version now shows 4.3.24(1) and the
shellshock test shows:

bpm:~ # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
bpm:~ # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Thank you very much for the help!!




Hi
No problem :) Just keep an eye on that repository as there will be
another update for sure on the other CVE.

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-21-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

philhess
26-Sep-2014, 15:07
Will do as its been published that is not the final fix for bash. Thanks again!